[Mailman-Users] CGI account shouldn't be part ofmailman group, but...

Poster Poster at aurora.cotse.net
Wed Jul 13 01:20:24 CEST 2005

John Dennis said:
> Just to expand a bit on something I should have elaborated:
> There is exactly one member of the mailman group, the user mailman.
> When
> the MTA or web server want to perform a mailman operation it invokes
> what is called a wrapper. The wrappers are group mailman and are
> setgid,
> this means the wrapper executes as the group mailman even if the MTA
> or
> web server invoked it. The wrapper performs a security check on the
> process that invoked it to assure only permitted users have permission
> to invoke the wrapper, only the MTA is allowed to invoke the mail
> wrapper, only the web server is allowed to invoke the CGI wrapper.

OK. If I'm following this correctly, Mailman is run as setgid Mailman,
so whatever calls it acts as though it were in the Mailman group. To
prevent abuse of this, Mailman allows only those who pass its security
check to call it.

I'm running SUSE, which uses a mailman-cgi-gid file, instead of
compiling this option into Mailman itself. If I've got this right,
Mailman compares this file with the GID of the process calling it. If
they match, then the process goes ahead.

My mailman-cgi-gid file contains one number -- 8, which is the user
"nobody". In order to prevent Mailman from crashing with horrendous
permissions problems on locks and such, I had to change many files to
be owned by nobody.

I suppose that nobody doesn't have to be part of the mailman group,
and that's where I went off the path?

Thanks for the info!


More information about the Mailman-Users mailing list